The One Identity Manager Data Governance Edition Deployment Guide provides detailed steps explaining how to deploy the Data Governance service; the information provided here is intended to provide some additional information for those interested in the internal functions of this process and the Data Governance service.
The deployment process for the Data Governance service includes the following:
Linking these accounts to the correct Data Governance application roles.
It is highly recommended that you use the Data Governance Configuration wizard to install the Data Governance service and Resource Activity database. If however, you need to install the Data Governance service to a different location other than the default location, you can use the Windows installer that is provided. For more information, see Manually deploying Data Governance service.
Data Governance service configuration settings are stored in one of the following places:
The Data Governance service contains settings in the DataGovernanceEdition.Service.exe.config file in the server directory: %ProgramFiles%\One Identity\One Identity Manager Data Governance Edition\Server.
For more information on the Data Governance service configuration file settings that can be configured, see Configurable configuration file settings.
Some Data Governance service settings can also be set in the Windows registry, under the following keys:
For more information on the Data Governance service registry settings that can be configured, see Data Governance service registry settings.
The following table lists the internal tasks that the Data Governance service performs, including the internal service name, a brief description of the task and the configuration variables that are available to customize the task.
|Internal service name||Task description|
Handles all resource access queries. This includes retrieving all trustees with access to a given resource, as well as all resources a given trustee has access to.
Handles the self-service requests initiated from the IT Shop. This includes identifying best fit groups based on resource and access requirements, retrieving group information, and getting or setting self-service configuration options.
Handles all aspects of agent lease management. This includes registering and unregistering agents, renewing leases, verifying agent connectivity, and retrieving agent information. The service manages lease renewal over a given period of time (configurable in the application configuration) by checking for expired agent leases and setting the agent states accordingly.
The Data Governance service uses this internal service to determine what agents are functioning. If the server does not receive a lease renewal from an agent in the expected time frame, the agent goes into the "Lease Expired" state. This indicates that the server is unable to receive information from the agent.
Synchronizes managed DFS host information into the One Identity Manager database. This process enumerates the DFS targets and stores the relevant information within the database. Synchronization is performed using the service account linked to the managed host being synchronized. The information is harvested on a regular bases, based on the configuration variable.
Is used for getting and setting resource security, retrieving domain credentials, service account retrieval, SID and trustee resolution, and resource enumeration.
Is used for a number of services, including group expansion, domain retrieval, group searches, data model retrieval, and SID retrieval. In addition, this service maintains a cache of known managed domains and security information that is refreshed regularly based on configuration variables.
For group expansion, the service account for the managed domain is used; however if this fails, the account used for Active Directory synchronization is used instead. In this case, the account used for Active Directory synchronization should be granted log on as service rights to the Data Governance server.
Provides the framework for processing messages received from deployed agents.
Is used for general infrastructure management. This includes actions such as triggering collection of data under governance and handling the steps required when a service is updated.
The service also contacts the agent to retrieve points of interest (POI) information on governed resources on a regular interval based on configuration variables.
Is used for managing jobs between the different Data Governance Edition internal services.
Provides an interface for managed domain information. This includes creating, querying and deleting managed domains, as well as validating service account access within a given domain.
This service also maintains a cache of managed domain information which includes the service account. Every three minutes this information is refreshed.
Provides managed host functionality for creating, updating, reinstalling and removing managed hosts. In addition, the service provides a framework for retrieving information about synchronized accounts, synchronized machines, synchronized SharePoint farms, and service accounts.
This service also provides functionality for retrieving, upgrading, restarting, adding, removing, registering, unregistering, leasing and updating agents, as well as retrieving agent logs and parsing agent metrics.
Exposes managed resource objects from the database layer. This includes creating, deleting, retrieving and updating managed resource types, managed group templates, group permissions, managed share root paths, managed resource domains, and name pattern resolvers.
This service also provides information about managed resources and their relationship with data under governance.
Manages the core Data Governance Edition dependencies, by ensuring a valid database connection is established, updating deployment information, creating and maintaining Data Governance Edition's service connection point, and maintaining deployment information, such as server version.
Provides the framework for metric collection. Core metrics include POI metrics, agent communication metrics, and agent performance metrics. The frequency of metric collection is set using an entry in the application configuration file.
Provides functionality related to resource activity and resource ownership. Actions include retrieving resource and trustee activity, calculating and granting perceived ownership, and aggregating resource activity.
This internal task runs a synchronization every five minutes, which is not configurable. The task checks for "stale" entries in the QAMDuG table every five minutes after the Data Governance service starts.
The LastOwnerShipCalculation column in the QAMDuG table stores the last time the synchronization ran. An entry is considered "stale" if one of the following is found to be true:
This service updates the perceived owner and POIs for governed resources on a regular interval, configurable within the application configuration file.
Provides functionality related to resource expansion, governance and publication. Actions include placing and removing resources under governance, publishing and unpublishing resources to the IT Shop, performing resource searches, and performing resource enumeration.
All actions requiring service account credentials are performed using the server account for the targeted managed domain.
Exposes resource policy objects from the database layer and provides the framework for resource provisioning. This includes the ability to create, delete, query and update access templates, trustee templates and resource policies. In addition, this service allows for resource provisioning.
Handles the updating of managed host states.
For a description of managed host states, see the One Identity Manager Data Governance Edition User Guide.
Handles actions regarding the Data Governance Edition service accounts. Actions include querying, creating, removing and validating service account credentials, and granting log on as a service rights to a given account.
This service is consumed by both PowerShell and the Manager.